US2008301810A1PendingUtilityA1

Monitoring apparatus and method therefor

Assignee: AGILENT TECHNOLOGIES INCPriority: Jun 4, 2007Filed: Jun 3, 2008Published: Dec 4, 2008
Est. expiryJun 4, 2027(~0.9 yrs left)· nominal 20-yr term from priority
H04L 63/1458H04L 63/0245H04L 2463/146H04L 63/0263H04L 2463/141H04L 63/1416H04L 63/02
45
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A monitoring apparatus for detection of a malicious attack in a communications network comprises a pattern matching engine ( 406 ), a data store ( 408 ) and an alert generator ( 410, 412 ). The pattern matching engine ( 406 ) is arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream. The data store ( 408 ) is operably coupled to the pattern matching engine and the data store ( 408 ) is arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack. The alert generator ( 410, 412 ) is arranged to generate an alert in response to an identification of the characteristic of the malicious attack. The data store ( 408 ) is remotely updatable.

Claims

exact text as granted — not AI-modified
1 . A monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising:
 a pattern matching engine arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;   a data store operably coupled to the pattern matching engine, the data store being arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack; and   an alert generator arranged to generate an alert in response to an identification of the characteristic of the malicious attack; wherein   the data store is remotely updatable.   
     
     
         2 . An apparatus as claimed in  claim 1 , further comprising a data updating entity operably coupled to the data store and arranged to receive a plurality of datagrams comprising replacement identification data. 
     
     
         3 . An apparatus as claimed in  claim 2 , wherein the data updating entity is arranged to store the replacement identification data in place of the identification data. 
     
     
         4 . An apparatus as claimed in  claim 2 , wherein the pattern matching engine is arranged to cease identifying the characteristic of the malicious attack in response to receipt of a datagram of the plurality of datagrams comprising the replacement identification data. 
     
     
         5 . An apparatus as claimed in  claim 4 , wherein the pattern matching engine is arranged to revert to identifying the characteristic of the malicious attack upon confirmed replacement of the identification data with the replacement identification data. 
     
     
         6 . An apparatus as claimed in  claim 1 , further comprising:
 a sub-channel injector entity for supporting a sub-channel within a main channel, the main channel supporting receipt of the bit stream.   
     
     
         7 . An apparatus as claimed in  claim 6 , wherein the sub-channel is arranged to be used for communication of acknowledgement data responsive to a datagram comprising a part of the replacement data. 
     
     
         8 . An apparatus as claimed in  claim 7 , wherein the data updating entity is operably coupled to the sub-channel injector entity and is arranged to generate the acknowledgement data and communicate the acknowledgement data to the sub-channel injector entity. 
     
     
         9 . A processing resource for a network element, the resource comprising the monitoring apparatus as claimed in  claim 1 . 
     
     
         10 . An interface card for a network element comprising the processing resource as claimed in  claim 9 . 
     
     
         11 . A communications system comprising the monitoring apparatus as claimed in  claim 1 . 
     
     
         12 . A method of detecting a malicious attack in a communications network, the method comprising:
 receiving a bit stream;   identifying a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;   accessing identification data stored by a data store to enable identification of the characteristic of the malicious attack; and   generating an alert in response to an identification of the characteristic of the malicious attack; and   recognising a received datagram containing replacement identification data indicative of a need to update the data store.   
     
     
         13 . A monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising:
 a pattern matching engine arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;   an alert generator arranged to generate an alert in response to an identification of the characteristic of the malicious attack; and   an alert processing entity operably coupled to the alert generator, the alert processing entity being arranged to receive the alert constituting alert information and limit communication of the alert information for receipt by an alert information collection unit.   
     
     
         14 . An apparatus as claimed in  claim 13 , wherein the alert information collection unit is not collocated with the alert processing entity within the topology of the communications network. 
     
     
         15 . An apparatus as claimed in  claim 13 , wherein the alert processing entity is arranged to generate a digest of alert information received in respect of a plurality of alerts generated by the alert generator. 
     
     
         16 . An apparatus as claimed in  claim 15 , wherein the digest comprises one or more of the following parameters: a used port number, a duration of a plurality of packets constituting the malicious attack, an identity of a link being monitored, location of the monitoring apparatus in the communications network, data identifying a type of the characteristic detected, a rate of receipt of datagrams containing a same type of the characteristic detected, a number of sources of datagrams containing the characteristic detected, a number of destinations of datagrams containing the characteristic detected, and/or datagram length. 
     
     
         17 . An apparatus as claimed in  claim 14 , wherein the alert processing unit is arranged to communicate the alert information in response to receipt of multiple receipts of the alert exceeding a predetermined threshold. 
     
     
         18 . An apparatus as claimed in  claim 13 , further comprising:
 a sub-channel injector entity for supporting a sub-channel within a main channel, the main channel supporting receipt of the bit stream.   
     
     
         19 . An apparatus as claimed in  claim 18 , wherein the sub-channel injector is operably coupled to the alert processing entity, the alert processing entity being arranged to use the sub-channel to communicate the alert information. 
     
     
         20 . A processing resource for a network element, the resource comprising the monitoring apparatus as claimed in  claim 13 . 
     
     
         21 . An interface card for a network element comprising the processing resource as claimed in  claim 20 . 
     
     
         22 . A communications system comprising the monitoring apparatus as claimed in  claim 13 , the system further comprising:
 an alert information collection unit remotely located from the monitoring apparatus at a monitoring station; wherein   the monitoring station is arranged to communicate instruction data to the monitoring apparatus in response to receipt of the alert information.   
     
     
         23 . A system as claimed in  claim 22 , wherein the instruction data identifies an action to be taken by the monitoring apparatus in relation to the at least one datagram baring the characteristic of the malicious attack. 
     
     
         24 . A system as claimed in  claim 23 , wherein the action at least mitigates and/or neutralises an intended effect of the malicious attack. 
     
     
         25 . A system as claimed in  claim 22 , wherein the response to the receipt of the alert information is automated. 
     
     
         26 . A system as claimed in  claim 22 , wherein the monitoring station is arranged to communicate the alert information to a user, the monitoring station providing the user with freedom to select and initiate communication of the instruction data. 
     
     
         27 . A method of detecting a malicious attack in a communications network, the method comprising:
 receiving a bit stream;   identifying a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;   generating an alert in response to an identification of the characteristic of the malicious attack;   recognising a received datagram containing replacement identification data indicative of a need to update the data store; and   processing the alert constituting alert information and limiting communication of the alert information for receipt by an alert information collection unit.   
     
     
         28 . A computer program element embodied on a computer readable medium, comprising computer program code means to make a computer execute the method of  claim 12 . 
     
     
         29 . A computer program code element embodied on a computer readable medium, comprising computer program code means to make a computer execute the method of  claim 27 . 
     
     
         30 . An apparatus as claimed in  claim 13 , wherein the alert information causes the monitoring apparatus to take an action, the action at least mitigating and/or neutralising an intended effect of the malicious attack. 
     
     
         31 . An apparatus as claimed in  claim 13 , wherein the alert information causes the monitoring apparatus to drop a packet relating to the malicious attack.

Join the waitlist — get patent alerts

Track US2008301810A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.